back to article California emits fine-print of its GDPR-ish digital privacy law, complete with Google and Facebook-sized holes

The final rules for California’s digital privacy law have been published and they are… full of holes. California's attorney general Xavier Becerra revealed the details [PDF] for how his office will define and enforce the landmark law, which is supposed to give residents of America's Golden State the right to demand what data …

  1. HildyJ Silver badge
    Big Brother

    Light beer

    No, it's not the GDPR but, sadly, it represents more protection for Californians than for residents of the other 49 states. Ideally, it's just a first step.

    Still, especially in this day and age, light beer is better than no beer.

    1. Anonymous Coward
      Anonymous Coward

      Re: Light beer

      California : Still the leading the way at setting a terrible example.

    2. LDS Silver badge

      "Ideally, it's just a first step."

      Or the last one because it tells lobbies they are capable to water down and stop any attempt?

      1. NetBlackOps Bronze badge
        Holmes

        Re: "Ideally, it's just a first step."

        Leaving those loopholes achieves two things. First, that the interests of the tech giants and advertising industry have been served, thereby assuring future campaign contributions by way of a reward. A form of gratuity if you wish to put a minimal veneer of respectability to it. Secondly, all loopholes can be closed at a future date, call it clarification of the terms within those rules. Therefore, a method of extracting future campaign contributions from said tech giants and the advertising industry in order to prevent such clarification. Further, a nice gift to future attorneys general.

        As always, follow the money.

        1. RM Myers Bronze badge

          Re: "Ideally, it's just a first step."

          Couldn't agree more. Ambiguous laws and regulations are a wet dream for politicians seeking campaign donations.

        2. DemeterLast

          Re: "Ideally, it's just a first step."

          Don't forget that it's also a hammer that can be used--selectively, on an as-needed basis--to pound down any nails that have the impertinence to stick up.

          Legislation in the US, from local to state to federal, is so compromised that it would be preferable to have monkeys at typewriters writing laws.

      2. fidodogbreath Silver badge

        Re: "Ideally, it's just a first step."

        Or the last one because it tells lobbies they are capable to water down and stop any attempt?

        They already knew that. The entire US political "system" is built on the concept of pay-to-play.

        "Corporations are people, my friend."

  2. Mike 137 Silver badge

    Actually it's quite different from the GDPR

    This legislation is essentially about data sharing - hence "§ 999.305. Notice at Collection of Personal Information (d) A business that does not collect personal information directly from the consumer does not need to provide a notice at collection to the consumer if it does not sell the consumer’s personal information."

    The GDPR is about protecting the data subject's human rights (which include privacy), and it takes into account a wide definition of harm.

    This is a fundamental difference that is consistently overlooked.

  3. John Jennings Bronze badge

    Good start, could do better

    Looking at the new GDPR light, it does appear that the next ballot is necessary.

    We were waiting for the new guidance - its light on detail where we wanted to see clarity, but its better than nothing. It seems that California is taking an evolutionary approach - which is not ideal. We are taking the approach that what flies in the sunshine state will be applied to all us states - I hope that other companies do the same, but the evolutionary changes means that we have to do this again, and again.

    We dont use personal data much on our sites - just enough to be a PITA.

    With any new body that the next legislation creates, I would be nervous. It is likely to be funded based upon fines - and its easier to clobber smaller organisations that it is to go after the giants. The ICO discovered this in the UK, when it couldn't impose fines on British Airways,because basically it couldn't afford the legal fees.

    1. LucreLout Silver badge

      Re: Good start, could do better

      It seems that California is taking an evolutionary approach - which is not ideal. We are taking the approach that what flies in the sunshine state will be applied to all us states - I hope that other companies do the same, but the evolutionary changes means that we have to do this again, and again.

      Quite. It's getting a little silly now, when you consider a global business will trade in potentially 50 or more legal jurisdictions, trying to manage 50 different data collection and retention schema's plus another 50 from Uncle Sam, and breaches become an inevitability rather than a sign of intentional corporate misbehavior.

      1. John Brown (no body) Silver badge

        Re: Good start, could do better

        Any company trading in so many jurisdictions already has to deal with different laws and regulations in each jurisdiction from advertising rules to collecting and paying sales taxes and many others.

      2. keith_w Bronze badge

        Re: Good start, could do better

        There are 195 countries in the world. Most of which have different privacy laws. Why should an extra 50 be a problem?

  4. Pascal Monett Silver badge
    Unhappy

    I am disappointed

    I have followed this issue since being alerted in these hallowed pages that there were Californians able to Do The Right Thing and get their state to GDPR-like levels.

    This is not that. And a new regulatory body is just a small nuisance to companies like Google and Facebook.

    I was hoping for much better, but I guess you take what you get and carry on with a smile.

    1. bombastic bob Silver badge
      Unhappy

      Re: I am disappointed

      California legislature hasn't "done the right thing" in DECADES, from my point of view...

      A weak law with a strong-sounding name, coupled with special provisions for "the donor class" is kind of what you'd expect from the California legislative body. Swiss cheese indeed. Just like it said in the 2nd half of the title.

      (a REAL GDPR-like law would have been WELCOME, but I never expected it to happen)

      Even with a ballot measure to strengthen it, I don't expect anything to NOT be "challenged away into obvlivion" in the court system.

      Texas is looking better and better these days...

  5. ThatOne Silver badge

    Well, people shouldn't stop now, because as more and more enterprises are realizing the easy money they can make selling customer data, the problem will be getting more serious every day. At some point it will be impossible to control this anymore, because everybody having something to say will have a finger in the pie.

    It's now, while customer data peddling enterprises are still just a minority, that you have a chance to stop the evolution. Also the data pushers didn't start their big counter-offensive yet, the big media campaign explaining that "privacy" is a commie plot to undermine god-fearing patriotism in the States, and that GDPR is the proven cause of Covid-19...

    1. quxinot Silver badge

      It's worse than that. This sets a precedent for weak laws to be accepted on this subject, where the corporations are favored much more heavily than the citizens. So good luck upgrading to something with a bit of teeth to protect the citizen's rights.

      1. John Brown (no body) Silver badge

        Corporations are "citizens" too in the USA. And in the USA, the citizens with the money get most influence over how the laws get written.

    2. NetBlackOps Bronze badge

      I use slight differences in the information I submit to the world+dog to get a sense of who is selling what information about me and, by far, the worst offender is Bank of America, not any of the tech giants. I've even seen things that I've bought using my ATM and credit cards that I have with them, offline, influence advertising.

  6. rcxb Silver badge

    The CCPA is quite useful already, though not for the intended purpose.

    Magazine subscriptions are practically free because most of the money comes from advertising and selling of your contact info to 3rd parties. Now with the "do not sell" option you can sign-up for a periodical and immediately tell them not to sell you onto the "sucker lists" that result in floods of commercial mailings, and worse.

    Even better, with the "delete my info" option, any unwanted company who has contacted you by whatever means can be told to knock it off, and legally must purge you from their system. Particularly useful in the event of other people mystyping their contact information as yours. Trying to correct such errors was previously a Sisyphean farce from the 7th circle.

    Not very helpful while you have an account with a service like Google/Facebook/etc, but excellent the moment you decide to delete it, and wish for everything they know about you to be purged and forgotten.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020